AWS IoT Policies

AWS IoT policies are JSON documents. They follow the same conventions as IAM
policies. AWS IoT supports named policies so many identities can reference the
same
policy document. Named policies are versioned so they can be easily rolled
back.

AWS IoT defines a set of policy actions that describe the operations and resources
to which you can grant or deny access. For example:

iot:Subscribe represents permission to subscribe to an MQTT
topic or topic filter.

iot:GetThingShadow represents permission to get a device's
shadow.

AWS IoT policies allow you to control access to the AWS IoT data plane. The AWS IoT
data
plane consists of operations that allow you to connect to the AWS IoT message
broker,
send and receive MQTT messages, and get or update a device's shadow. For more
information, see AWS IoT Policy Actions.

An AWS IoT policy is a JSON document that contains one or more policy statements.
Each statement contains an Effect, an Action, and a
Resource. The Effect specifies whether the action will
be allowed or denied. The Action specifies the action the policy is
allowing or denying. The Resource specifies the resource or resources
on which the action is allowed or denied. The following policy grants all devices
permission to connect to the AWS IoT message broker, but restricts the device
to
publishing on a specific MQTT topic: